CVE Vulnerabilities

CVE-2016-8645

Improper Access Control

Published: Nov 28, 2016 | Modified: Apr 12, 2025
CVSS 3.x
5.5
MEDIUM
Source:
NVD
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVSS 2.x
4.9 MEDIUM
AV:L/AC:L/Au:N/C:N/I:N/A:C
RedHat/V2
4.9 MODERATE
AV:L/AC:L/Au:N/C:N/I:N/A:C
RedHat/V3
6.2 MODERATE
CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Ubuntu
MEDIUM

The TCP stack in the Linux kernel before 4.8.10 mishandles skb truncation, which allows local users to cause a denial of service (system crash) via a crafted application that makes sendto system calls, related to net/ipv4/tcp_ipv4.c and net/ipv6/tcp_ipv6.c.

Weakness

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Affected Software

Name Vendor Start Version End Version
Linux_kernel Linux * 4.8.9 (including)
Red Hat Enterprise Linux 7 RedHat kernel-rt-0:3.10.0-693.rt56.617.el7 *
Red Hat Enterprise Linux 7 RedHat kernel-0:3.10.0-693.el7 *
Red Hat Enterprise MRG 2 RedHat kernel-rt-1:3.10.0-693.2.1.rt56.585.el6rt *
Linux Ubuntu esm-infra-legacy/trusty *
Linux Ubuntu esm-infra/xenial *
Linux Ubuntu focal *
Linux Ubuntu precise *
Linux Ubuntu precise/esm *
Linux Ubuntu trusty *
Linux Ubuntu trusty/esm *
Linux Ubuntu upstream *
Linux Ubuntu vivid/ubuntu-core *
Linux Ubuntu xenial *
Linux Ubuntu yakkety *
Linux-armadaxp Ubuntu precise *
Linux-armadaxp Ubuntu upstream *
Linux-aws Ubuntu focal *
Linux-aws Ubuntu upstream *
Linux-aws-5.15 Ubuntu focal *
Linux-aws-5.4 Ubuntu bionic *
Linux-aws-fips Ubuntu trusty *
Linux-aws-fips Ubuntu xenial *
Linux-aws-hwe Ubuntu xenial *
Linux-azure Ubuntu esm-infra/bionic *
Linux-azure Ubuntu focal *
Linux-azure Ubuntu upstream *
Linux-azure-4.15 Ubuntu bionic *
Linux-azure-5.15 Ubuntu focal *
Linux-azure-5.4 Ubuntu bionic *
Linux-azure-6.11 Ubuntu noble *
Linux-azure-fde Ubuntu esm-infra/focal *
Linux-azure-fde Ubuntu focal *
Linux-azure-fde-5.15 Ubuntu esm-infra/focal *
Linux-azure-fde-5.15 Ubuntu focal *
Linux-azure-fips Ubuntu trusty *
Linux-azure-fips Ubuntu xenial *
Linux-bluefield Ubuntu focal *
Linux-euclid Ubuntu upstream *
Linux-flo Ubuntu trusty *
Linux-flo Ubuntu upstream *
Linux-flo Ubuntu vivid/stable-phone-overlay *
Linux-flo Ubuntu xenial *
Linux-flo Ubuntu yakkety *
Linux-gcp Ubuntu esm-infra/bionic *
Linux-gcp Ubuntu focal *
Linux-gcp Ubuntu upstream *
Linux-gcp-4.15 Ubuntu bionic *
Linux-gcp-5.15 Ubuntu focal *
Linux-gcp-5.4 Ubuntu bionic *
Linux-gcp-6.11 Ubuntu noble *
Linux-gcp-fips Ubuntu trusty *
Linux-gcp-fips Ubuntu xenial *
Linux-gke Ubuntu esm-infra/focal *
Linux-gke Ubuntu focal *
Linux-gke Ubuntu upstream *
Linux-gkeop Ubuntu esm-infra/focal *
Linux-gkeop Ubuntu focal *
Linux-goldfish Ubuntu trusty *
Linux-goldfish Ubuntu upstream *
Linux-goldfish Ubuntu xenial *
Linux-goldfish Ubuntu yakkety *
Linux-goldfish Ubuntu zesty *
Linux-grouper Ubuntu trusty *
Linux-grouper Ubuntu upstream *
Linux-hwe Ubuntu esm-infra/bionic *
Linux-hwe Ubuntu upstream *
Linux-hwe-5.15 Ubuntu focal *
Linux-hwe-5.4 Ubuntu bionic *
Linux-hwe-6.11 Ubuntu noble *
Linux-hwe-edge Ubuntu esm-infra/bionic *
Linux-hwe-edge Ubuntu upstream *
Linux-ibm Ubuntu focal *
Linux-ibm-5.15 Ubuntu focal *
Linux-ibm-5.4 Ubuntu bionic *
Linux-intel-iot-realtime Ubuntu jammy *
Linux-intel-iotg-5.15 Ubuntu focal *
Linux-iot Ubuntu focal *
Linux-kvm Ubuntu focal *
Linux-kvm Ubuntu upstream *
Linux-linaro-omap Ubuntu precise *
Linux-linaro-omap Ubuntu upstream *
Linux-linaro-shared Ubuntu precise *
Linux-linaro-shared Ubuntu upstream *
Linux-linaro-vexpress Ubuntu precise *
Linux-linaro-vexpress Ubuntu upstream *
Linux-lowlatency-hwe-5.15 Ubuntu focal *
Linux-lowlatency-hwe-6.11 Ubuntu noble *
Linux-lts-quantal Ubuntu precise *
Linux-lts-quantal Ubuntu precise/esm *
Linux-lts-quantal Ubuntu upstream *
Linux-lts-raring Ubuntu precise *
Linux-lts-raring Ubuntu precise/esm *
Linux-lts-raring Ubuntu upstream *
Linux-lts-saucy Ubuntu precise *
Linux-lts-saucy Ubuntu precise/esm *
Linux-lts-saucy Ubuntu upstream *
Linux-lts-trusty Ubuntu precise *
Linux-lts-trusty Ubuntu upstream *
Linux-lts-utopic Ubuntu trusty *
Linux-lts-utopic Ubuntu upstream *
Linux-lts-vivid Ubuntu trusty *
Linux-lts-vivid Ubuntu trusty/esm *
Linux-lts-vivid Ubuntu upstream *
Linux-lts-wily Ubuntu trusty *
Linux-lts-wily Ubuntu upstream *
Linux-lts-xenial Ubuntu trusty *
Linux-lts-xenial Ubuntu upstream *
Linux-maguro Ubuntu trusty *
Linux-maguro Ubuntu upstream *
Linux-mako Ubuntu trusty *
Linux-mako Ubuntu upstream *
Linux-mako Ubuntu vivid/stable-phone-overlay *
Linux-mako Ubuntu xenial *
Linux-mako Ubuntu yakkety *
Linux-manta Ubuntu trusty *
Linux-manta Ubuntu upstream *
Linux-nvidia-tegra-5.15 Ubuntu focal *
Linux-oem Ubuntu esm-infra/bionic *
Linux-oem Ubuntu upstream *
Linux-oracle Ubuntu bionic *
Linux-oracle Ubuntu focal *
Linux-oracle Ubuntu xenial *
Linux-oracle-5.15 Ubuntu focal *
Linux-oracle-5.4 Ubuntu bionic *
Linux-qcm-msm Ubuntu precise *
Linux-qcm-msm Ubuntu upstream *
Linux-raspi Ubuntu focal *
Linux-raspi-5.4 Ubuntu bionic *
Linux-raspi-realtime Ubuntu noble *
Linux-raspi2 Ubuntu esm-infra/focal *
Linux-raspi2 Ubuntu focal *
Linux-raspi2 Ubuntu upstream *
Linux-raspi2 Ubuntu vivid/ubuntu-core *
Linux-raspi2 Ubuntu xenial *
Linux-raspi2 Ubuntu yakkety *
Linux-realtime Ubuntu jammy *
Linux-realtime Ubuntu noble *
Linux-riscv Ubuntu esm-infra/focal *
Linux-riscv Ubuntu focal *
Linux-riscv Ubuntu jammy *
Linux-riscv Ubuntu noble *
Linux-riscv-5.15 Ubuntu focal *
Linux-snapdragon Ubuntu upstream *
Linux-snapdragon Ubuntu xenial *
Linux-snapdragon Ubuntu yakkety *
Linux-ti-omap4 Ubuntu precise *
Linux-ti-omap4 Ubuntu upstream *
Linux-xilinx-zynqmp Ubuntu focal *

Extended Description

Access control involves the use of several protection mechanisms such as:

When any mechanism is not applied or otherwise fails, attackers can compromise the security of the product by gaining privileges, reading sensitive information, executing commands, evading detection, etc. There are two distinct behaviors that can introduce access control weaknesses:

Potential Mitigations

  • Compartmentalize the system to have “safe” areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
  • Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.

References